diff --git a/lib/tls b/lib/tls
index 02906b7021..a84bb764ac 100644
--- a/lib/tls
+++ b/lib/tls
@@ -18,6 +18,9 @@
 # - configure_proxy
 # - start_tls_proxy
 
+# - stop_tls_proxy
+# - cleanup_CA
+
 # - make_root_CA
 # - make_int_CA
 # - make_cert ca-dir cert-name "common-name" ["alt-name" ...]
@@ -372,6 +375,22 @@ function start_tls_proxy {
 }
 
 
+# Cleanup Functions
+# ===============
+
+
+# Stops all stud processes. This should be done only after all services
+# using tls configuration are down.
+function stop_tls_proxy {
+    killall stud
+}
+
+
+# Remove CA along with configuration, as well as the local server certificate
+function cleanup_CA {
+    rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
+}
+
 # Tell emacs to use shell-script-mode
 ## Local variables:
 ## mode: shell-script
diff --git a/unstack.sh b/unstack.sh
index a5e7b879f9..fe5fc77cd2 100755
--- a/unstack.sh
+++ b/unstack.sh
@@ -122,9 +122,10 @@ if is_service_enabled horizon; then
     stop_horizon
 fi
 
-# Kill TLS proxies
+# Kill TLS proxies and cleanup certificates
 if is_service_enabled tls-proxy; then
-    killall stud
+    stop_tls_proxy
+    cleanup_CA
 fi
 
 SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*